RE: WAP issues with XKMS [was RE: Mobile XKMS clients] from Mike Just on 2002-02-26 (www-xkms@w3.org from February 2002)

From: Mike Just <Mike.Just@entrust.com>
Date: Tue, 26 Feb 2002 08:48:58 -0500
To: "'stephen.farrell@baltimore.ie'" <stephen.farrell@baltimore.ie>, www-xkms@w3.org
Cc: "Deacon, Alex" <alex@verisign.com>, "'Blair Dillaway'" <blaird@microsoft.com>, Yassir Elley <yassir.elley@sun.com>
Message-ID: <9A4F653B0A375841AC75A8D17712B9C90257A8E9@sottmxs04.entrust.com>

The current XKMS spec allows a validity period to be included for a response
so that a relying party can rely on cached responses. I believe that a nonce
is supported as well (i.e. with TransactionId) so that freshness within the
validity period (or in lieu of a validity period being used) is supported.

2.2.6 states "Techniques for protection against replay attacks MUST be
recommended in the security considerations section. Specific techniques
SHOULD be defined, such as nonce, origination time, and serial numbers in
requests, for example."  Unless I missed something, that was the only
related requirement. There's nothing specific about a validity period
though. We could add something like 

"The specification MUST define a validity period for public key status
responses so that when supported, clients may choose to rely on cached
responses." 

(or something like this).

Mike

-----Original Message-----
From: Stephen Farrell [mailto:stephen.farrell@baltimore.ie]
Sent: Tuesday, February 26, 2002 8:07 AM
To: www-xkms@w3.org
Cc: Deacon, Alex; 'Blair Dillaway'; Yassir Elley
Subject: Re: WAP issues with XKMS [was RE: Mobile XKMS clients]

<...snip...>

Anyway, my questions to you all are:-

- do we want to allow this type of thing? (now,later,never)
- is it allowed/prevented by the current requirements document?
- if not, what language to add to allow/prevent it?

Stephen.

Received on Tuesday, 26 February 2002 08:49:56 UTC